Ubuntu Security Notice 5767-1 - Nicky Mouha discovered that Python incorrectly handled certain SHA-3 internals. An attacker could possibly use this issue to cause a crash or execute arbitrary code. It was discovered that Python incorrectly handled certain IDNA inputs. An attacker could possibly use this issue to expose sensitive information denial of service, or cause a crash.

=========================================================================  
Ubuntu Security Notice USN-5767-1  
December 08, 2022

python2.7, python3.10, python3.6, python3.8 vulnerabilities  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in Python.

Software Description:  
- python3.10: An interactive high-level object-oriented language  
- python3.8: An interactive high-level object-oriented language  
- python2.7: An interactive high-level object-oriented language  
- python3.6: An interactive high-level object-oriented language

Details:

Nicky Mouha discovered that Python incorrectly handled certain SHA-3 internals.  
An attacker could possibly use this issue to cause a crash or execute arbitrary code.  
(CVE-2022-37454)

It was discovered that Python incorrectly handled certain IDNA inputs.  
An attacker could possibly use this issue to expose sensitive information  
denial of service, or cause a crash.  
(CVE-2022-45061)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
  libpython3.10                   3.10.7-1ubuntu0.2  
  python3.10                      3.10.7-1ubuntu0.2

Ubuntu 22.04 LTS:  
  libpython3.10                   3.10.6-1~22.04.2  
  python3.10                      3.10.6-1~22.04.2

Ubuntu 20.04 LTS:  
  libpython3.8                    3.8.10-0ubuntu1~20.04.6  
  python3.8                       3.8.10-0ubuntu1~20.04.6

Ubuntu 18.04 LTS:  
  libpython2.7                    2.7.17-1~18.04ubuntu1.10  
  libpython3.6                    3.6.9-1~18.04ubuntu1.9  
  python2.7                       2.7.17-1~18.04ubuntu1.10  
  python3.6                       3.6.9-1~18.04ubuntu1.9

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5767-1  
  CVE-2022-37454, CVE-2022-45061

Package Information:  
  https://launchpad.net/ubuntu/+source/python3.10/3.10.7-1ubuntu0.2  
  https://launchpad.net/ubuntu/+source/python3.10/3.10.6-1~22.04.2  
  https://launchpad.net/ubuntu/+source/python3.8/3.8.10-0ubuntu1~20.04.6  
  https://launchpad.net/ubuntu/+source/python2.7/2.7.17-1~18.04ubuntu1.10  
  https://launchpad.net/ubuntu/+source/python3.6/3.6.9-1~18.04ubuntu1.9

Ubuntu Security Notice USN-5767-1

Ubuntu Security Notice 5768-1 - Jan Engelhardt, Tavis Ormandy, and others discovered that the GNU C Library iconv feature incorrectly handled certain input sequences. An attacker could possibly use this issue to cause the GNU C Library to hang or crash, resulting in a denial of service. It was discovered that the GNU C Library did not properly handled DNS responses when ENDS0 is enabled. An attacker could possibly use this issue to cause fragmentation-based attacks.

    =========================================================================Ubuntu Security Notice USN-5768-1December 08, 2022glibc vulnerabilities=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:Several security issues were fixed in GNU C Library.Software Description:- glibc: GNU C LibraryDetails:Jan Engelhardt, Tavis Ormandy, and others discovered that the GNU C Libraryiconv feature incorrectly handled certain input sequences. An attackercould possibly use this issue to cause the GNU C Library to hang or crash,resulting in a denial of service.  (CVE-2016-10228, CVE-2019-25013,CVE-2020-27618)It was discovered that the GNU C Library did not properly handled DNSresponses when ENDS0 is enabled. An attacker could possibly use this issueto cause fragmentation-based attacks. (CVE-2017-12132)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:  libc6                           2.23-0ubuntu11.3+esm3After a standard system update you need to reboot your computer to makeall the necessary changes.References:  https://ubuntu.com/security/notices/USN-5768-1  CVE-2016-10228, CVE-2017-12132, CVE-2019-25013, CVE-2020-27618

Ubuntu Security Notice USN-5768-1

Red Hat Security Advisory 2022-8781-01 - Logging Subsystem for Red Hat OpenShift has a security update. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: Logging Subsystem 5.5.5 - Red Hat OpenShift security update  
Advisory ID:       RHSA-2022:8781-01  
Product:           Logging Subsystem for Red Hat OpenShift  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8781  
Issue date:        2022-12-08  
CVE Names:         CVE-2016-3709 CVE-2020-35525 CVE-2020-35527   
                   CVE-2020-36516 CVE-2020-36518 CVE-2020-36558   
                   CVE-2021-3640 CVE-2021-30002 CVE-2022-0168   
                   CVE-2022-0561 CVE-2022-0562 CVE-2022-0617   
                   CVE-2022-0854 CVE-2022-0865 CVE-2022-0891   
                   CVE-2022-0908 CVE-2022-0909 CVE-2022-0924   
                   CVE-2022-1016 CVE-2022-1048 CVE-2022-1055   
                   CVE-2022-1184 CVE-2022-1292 CVE-2022-1304   
                   CVE-2022-1355 CVE-2022-1586 CVE-2022-1785   
                   CVE-2022-1852 CVE-2022-1897 CVE-2022-1927   
                   CVE-2022-2068 CVE-2022-2078 CVE-2022-2097   
                   CVE-2022-2509 CVE-2022-2586 CVE-2022-2639   
                   CVE-2022-2879 CVE-2022-2880 CVE-2022-2938   
                   CVE-2022-3515 CVE-2022-20368 CVE-2022-21499   
                   CVE-2022-21618 CVE-2022-21619 CVE-2022-21624   
                   CVE-2022-21626 CVE-2022-21628 CVE-2022-22624   
                   CVE-2022-22628 CVE-2022-22629 CVE-2022-22662   
                   CVE-2022-22844 CVE-2022-23960 CVE-2022-24448   
                   CVE-2022-25255 CVE-2022-26373 CVE-2022-26700   
                   CVE-2022-26709 CVE-2022-26710 CVE-2022-26716   
                   CVE-2022-26717 CVE-2022-26719 CVE-2022-27404   
                   CVE-2022-27405 CVE-2022-27406 CVE-2022-27664   
                   CVE-2022-27950 CVE-2022-28390 CVE-2022-28893   
                   CVE-2022-29581 CVE-2022-30293 CVE-2022-32189   
                   CVE-2022-34903 CVE-2022-36946 CVE-2022-37434   
                   CVE-2022-37603 CVE-2022-39399 CVE-2022-41715   
                   CVE-2022-42003 CVE-2022-42004   
=====================================================================

1. Summary:

Logging Subsystem 5.5.5 - Red Hat OpenShift

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Logging Subsystem 5.5.5 - Red Hat OpenShift

Security Fixe(s):

* jackson-databind: denial of service via a large depth of nested  
objects (CVE-2020-36518)

* golang: net/http: handle server errors after sending GOAWAY  
(CVE-2022-27664)

* golang: archive/tar: unbounded memory consumption when reading headers  
(CVE-2022-2879, CVE-2022-2880, CVE-2022-41715)

* jackson-databind: deep wrapper array nesting wrt  
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

* jackson-databind: use of deeply nested arrays (CVE-2022-42004)

* loader-utils: Regular expression denial of service (CVE-2022-37603)

* golang: math/big: decoding big.Float and big.Rat types can panic if the  
encoded message is too short, potentially allowing a denial of service  
(CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.11 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this errata update:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

For Red Hat OpenShift Logging 5.5, see the following instructions to apply  
this update:

https://docs.openshift.com/container-platform/4.11/logging/cluster-logging-upgrading.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects  
2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service  
2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY  
2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers  
2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters  
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps  
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS  
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays  
2140597 - CVE-2022-37603 loader-utils:Regular expression denial of service

5. JIRA issues fixed (https://issues.jboss.org/):

LOG-2860 - Error on LokiStack Components when forwarding logs to Loki on proxy cluster  
LOG-3131 - vector: kube API server certificate validation failure due to hostname mismatch  
LOG-3222 - [release-5.5] fluentd plugin for kafka ca-bundle secret doesn't support multiple CAs  
LOG-3226 - FluentdQueueLengthIncreasing rule failing to be evaluated.  
LOG-3284 - [release-5.5][Vector] logs parsed into structured when json is set without structured types.  
LOG-3287 - [release-5.5] Increase value of cluster-logging PriorityClass to move closer to system-cluster-critical value  
LOG-3301 - [release-5.5][ClusterLogging] elasticsearchStatus in ClusterLogging instance CR is not updated when Elasticsearch status is changed  
LOG-3305 - [release-5.5] Kibana Authentication Exception cookie issue  
LOG-3310 - [release-5.5] Can't choose correct CA ConfigMap Key when creating lokistack in Console  
LOG-3332 - [release-5.5] Reconcile error on controller when creating LokiStack with tls config

6. References:

https://access.redhat.com/security/cve/CVE-2016-3709  
https://access.redhat.com/security/cve/CVE-2020-35525  
https://access.redhat.com/security/cve/CVE-2020-35527  
https://access.redhat.com/security/cve/CVE-2020-36516  
https://access.redhat.com/security/cve/CVE-2020-36518  
https://access.redhat.com/security/cve/CVE-2020-36558  
https://access.redhat.com/security/cve/CVE-2021-3640  
https://access.redhat.com/security/cve/CVE-2021-30002  
https://access.redhat.com/security/cve/CVE-2022-0168  
https://access.redhat.com/security/cve/CVE-2022-0561  
https://access.redhat.com/security/cve/CVE-2022-0562  
https://access.redhat.com/security/cve/CVE-2022-0617  
https://access.redhat.com/security/cve/CVE-2022-0854  
https://access.redhat.com/security/cve/CVE-2022-0865  
https://access.redhat.com/security/cve/CVE-2022-0891  
https://access.redhat.com/security/cve/CVE-2022-0908  
https://access.redhat.com/security/cve/CVE-2022-0909  
https://access.redhat.com/security/cve/CVE-2022-0924  
https://access.redhat.com/security/cve/CVE-2022-1016  
https://access.redhat.com/security/cve/CVE-2022-1048  
https://access.redhat.com/security/cve/CVE-2022-1055  
https://access.redhat.com/security/cve/CVE-2022-1184  
https://access.redhat.com/security/cve/CVE-2022-1292  
https://access.redhat.com/security/cve/CVE-2022-1304  
https://access.redhat.com/security/cve/CVE-2022-1355  
https://access.redhat.com/security/cve/CVE-2022-1586  
https://access.redhat.com/security/cve/CVE-2022-1785  
https://access.redhat.com/security/cve/CVE-2022-1852  
https://access.redhat.com/security/cve/CVE-2022-1897  
https://access.redhat.com/security/cve/CVE-2022-1927  
https://access.redhat.com/security/cve/CVE-2022-2068  
https://access.redhat.com/security/cve/CVE-2022-2078  
https://access.redhat.com/security/cve/CVE-2022-2097  
https://access.redhat.com/security/cve/CVE-2022-2509  
https://access.redhat.com/security/cve/CVE-2022-2586  
https://access.redhat.com/security/cve/CVE-2022-2639  
https://access.redhat.com/security/cve/CVE-2022-2879  
https://access.redhat.com/security/cve/CVE-2022-2880  
https://access.redhat.com/security/cve/CVE-2022-2938  
https://access.redhat.com/security/cve/CVE-2022-3515  
https://access.redhat.com/security/cve/CVE-2022-20368  
https://access.redhat.com/security/cve/CVE-2022-21499  
https://access.redhat.com/security/cve/CVE-2022-21618  
https://access.redhat.com/security/cve/CVE-2022-21619  
https://access.redhat.com/security/cve/CVE-2022-21624  
https://access.redhat.com/security/cve/CVE-2022-21626  
https://access.redhat.com/security/cve/CVE-2022-21628  
https://access.redhat.com/security/cve/CVE-2022-22624  
https://access.redhat.com/security/cve/CVE-2022-22628  
https://access.redhat.com/security/cve/CVE-2022-22629  
https://access.redhat.com/security/cve/CVE-2022-22662  
https://access.redhat.com/security/cve/CVE-2022-22844  
https://access.redhat.com/security/cve/CVE-2022-23960  
https://access.redhat.com/security/cve/CVE-2022-24448  
https://access.redhat.com/security/cve/CVE-2022-25255  
https://access.redhat.com/security/cve/CVE-2022-26373  
https://access.redhat.com/security/cve/CVE-2022-26700  
https://access.redhat.com/security/cve/CVE-2022-26709  
https://access.redhat.com/security/cve/CVE-2022-26710  
https://access.redhat.com/security/cve/CVE-2022-26716  
https://access.redhat.com/security/cve/CVE-2022-26717  
https://access.redhat.com/security/cve/CVE-2022-26719  
https://access.redhat.com/security/cve/CVE-2022-27404  
https://access.redhat.com/security/cve/CVE-2022-27405  
https://access.redhat.com/security/cve/CVE-2022-27406  
https://access.redhat.com/security/cve/CVE-2022-27664  
https://access.redhat.com/security/cve/CVE-2022-27950  
https://access.redhat.com/security/cve/CVE-2022-28390  
https://access.redhat.com/security/cve/CVE-2022-28893  
https://access.redhat.com/security/cve/CVE-2022-29581  
https://access.redhat.com/security/cve/CVE-2022-30293  
https://access.redhat.com/security/cve/CVE-2022-32189  
https://access.redhat.com/security/cve/CVE-2022-34903  
https://access.redhat.com/security/cve/CVE-2022-36946  
https://access.redhat.com/security/cve/CVE-2022-37434  
https://access.redhat.com/security/cve/CVE-2022-37603  
https://access.redhat.com/security/cve/CVE-2022-39399  
https://access.redhat.com/security/cve/CVE-2022-41715  
https://access.redhat.com/security/cve/CVE-2022-42003  
https://access.redhat.com/security/cve/CVE-2022-42004  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5G9q9zjgjWX9erEAQgdfBAApTzFp8Tp32Bv5jN1EnhSqzcQ93cUa2Nr  
ot9YGh2Dzqr0lzAP2uf1O61EEYq9mte6X4DckjUDo7BT7u5ZZxMWWSstpNbFUzXl  
4xs393yEZM52DN174XOP5V7GUG0pyNlEqHYMGjdZF6pzIx2zzF300kAjB4Hpg4wK  
kKUDVnIyHlvlNcsvjms4p1rzAsIns4c73W89KVkwMyo1pvPQt6v34BWZg5DNnYAM  
hTzl0JR5XRYW4aZhIMq7FApvh4GeA7n7L0kmnDHFVcx0cnrHrjHZxmRQX0Gai1bc  
r8MvGvbMTqEAZ4VKKrgNVvVzkdrO4dw20JfbskPgTIbFXH6ns5605b31veRhMYmv  
NCSJUbq4BLYVAZEhmLa0QIqru1WVCB1e2eRUhvehLiuVlAkgmIgtKvECZ3kpQHxj  
DvOdnaWC5R9eKtNlX9N1xOtqgOF2w+/M+5ml5RJgq48Wlb41VpypDIKFBUXh+wR9  
ArrG8kao75Hl0t8/YQMouqDvgJLNgfceF+WETYryfDus9OlB4YMxhI88mx7HH9zu  
Hy4rb7RhF1OcH/kWjmMl/YJQpYSFKJDyls3tAx5ZAWGCpwAzoBZoc9BEKUQwVfnW  
f3PFotJeQdxKBsbqKVF5h0gHcfSUP+P0kQhx1GD51kxJkUmq47m3OZKIe1QLwYgm  
T1GSDHkQTcg=  
=y/FA  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8781-01

Red Hat Security Advisory 2022-8849-01 - An update for python-XStatic-Angular is now available for Red Hat OpenStack Platform 16.2.4 (Train).

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenStack Platform 16.2.4 (python-XStatic-Angular) security update  
Advisory ID:       RHSA-2022:8849-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8849  
Issue date:        2022-12-07  
CVE Names:         CVE-2019-10768  
====================================================================  
1. Summary:

An update for python-XStatic-Angular is now available for Red Hat OpenStack  
Platform 16.2.4 (Train).

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 16.2 - noarch

3. Description:

Angular JavaScript library packaged for setuptools (easy_install) / pip.

Security Fix(es):

* Prototype pollution in merge function could result in code injection  
(CVE-2019-10768)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1813309 - CVE-2019-10768 AngularJS: Prototype pollution in merge function could result in code injection

6. Package List:

Red Hat OpenStack Platform 16.2:

Source:  
python-XStatic-Angular-1.5.8.0-13.el8ost.src.rpm

noarch:  
XStatic-Angular-common-1.5.8.0-13.el8ost.noarch.rpm  
python3-XStatic-Angular-1.5.8.0-13.el8ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-10768  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5FpVdzjgjWX9erEAQhHKw//R+N/9lZBpBGHZo/FYTh/4l1u1L/m07bG  
wW/+z3D185zL4LZQQS//K2WpzMgZEgEV8GlvVJ8FG0Olw8urrZzervxI8r72xApD  
9Wx0TAFh8Sgf/t5qJvvt022jrXlOE9/+Y9EjYxoSWkbVmFUKUodeL4Me1H0oTpRY  
OzKtkRg/E7TNwQEllFpJgyFICUoUr21EyhreE7gSRga/2MqVNDwsWOiPhcxNZqB1  
Cz/yssJftzrUL3dbi9BbOsIelsMDAS9woSkZD7uS4xXdNmwcFxbxVazaX6L/XzuR  
HTETjmy2xxy/oO6eFj8/Ym/ZvjnCxkesaSigvUMFV5CMNqMEMWO4xZKdDXTuFY4X  
4iZFc4FTQKwRqd8bCosFEqUcinw3NmuByIU3MnPhSbaY0La+FsqbZ614K+wBxxlC  
NlBfUV5WkgYWP/Jd++I4vOWOLoxfabplRlvN84lperErtieX+YAMKZWgQpP0rEXd  
bfC9O3/N1sfA3wg4ZFf8KQPFPR9EAEaI3WPyqmrx7QX6wt+nO1n6HueiQ8G2hkfT  
RAkBCoPikgNk7mLBxFdicMX8mvawKoDGam3SByk8NLK6nS4TDogfmTKOhioaRL18  
e3JvzZ0Qyr3xHdnXwyOHpbZEL2lOCcgAOQIWxDbUj7EZul9Vu5jpFHtqYmPHmOEn  
YO5E1kZUxbE=KRoQ  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8849-01

Red Hat Security Advisory 2022-8852-01 - A fast multidimensional array facility for Python. Issues addressed include a null pointer vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenStack Platform 16.2.4 (numpy) security update  
Advisory ID:       RHSA-2022:8852-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8852  
Issue date:        2022-12-07  
CVE Names:         CVE-2021-41495  
====================================================================  
1. Summary:

An update for numpy is now available for Red Hat OpenStack Platform 16.2.4  
(Train) for Red Hat Enterprise Linux (RHEL) 8.4.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 16.2 - ppc64le, x86_64

3. Description:

A fast multidimensional array facility for Python

Security Fix(es):

* NULL pointer dereference in numpy.sort in the PyArray_DescrNew() due  
to missing return-value validation (CVE-2021-41495)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2035037 - CVE-2021-41495 numpy: NULL pointer dereference in numpy.sort in in the PyArray_DescrNew() due to missing return-value validation

6. Package List:

Red Hat OpenStack Platform 16.2:

Source:  
numpy-1.17.0-11.el8ost.src.rpm

ppc64le:  
numpy-debugsource-1.17.0-11.el8ost.ppc64le.rpm  
python3-numpy-1.17.0-11.el8ost.ppc64le.rpm  
python3-numpy-debuginfo-1.17.0-11.el8ost.ppc64le.rpm  
python3-numpy-f2py-1.17.0-11.el8ost.ppc64le.rpm

x86_64:  
numpy-debugsource-1.17.0-11.el8ost.x86_64.rpm  
python3-numpy-1.17.0-11.el8ost.x86_64.rpm  
python3-numpy-debuginfo-1.17.0-11.el8ost.x86_64.rpm  
python3-numpy-f2py-1.17.0-11.el8ost.x86_64.rpm

Red Hat OpenStack Platform 16.2:

Source:  
numpy-1.17.0-11.el8ost.src.rpm

ppc64le:  
numpy-debugsource-1.17.0-11.el8ost.ppc64le.rpm  
python3-numpy-1.17.0-11.el8ost.ppc64le.rpm  
python3-numpy-debuginfo-1.17.0-11.el8ost.ppc64le.rpm  
python3-numpy-f2py-1.17.0-11.el8ost.ppc64le.rpm

x86_64:  
numpy-debugsource-1.17.0-11.el8ost.x86_64.rpm  
python3-numpy-1.17.0-11.el8ost.x86_64.rpm  
python3-numpy-debuginfo-1.17.0-11.el8ost.x86_64.rpm  
python3-numpy-f2py-1.17.0-11.el8ost.x86_64.rpm

Red Hat OpenStack Platform 16.2:

Source:  
numpy-1.17.0-11.el8ost.src.rpm

ppc64le:  
numpy-debugsource-1.17.0-11.el8ost.ppc64le.rpm  
python3-numpy-1.17.0-11.el8ost.ppc64le.rpm  
python3-numpy-debuginfo-1.17.0-11.el8ost.ppc64le.rpm  
python3-numpy-f2py-1.17.0-11.el8ost.ppc64le.rpm

x86_64:  
numpy-debugsource-1.17.0-11.el8ost.x86_64.rpm  
python3-numpy-1.17.0-11.el8ost.x86_64.rpm  
python3-numpy-debuginfo-1.17.0-11.el8ost.x86_64.rpm  
python3-numpy-f2py-1.17.0-11.el8ost.x86_64.rpm

Red Hat OpenStack Platform 16.2:

Source:  
numpy-1.17.0-11.el8ost.src.rpm

x86_64:  
numpy-debugsource-1.17.0-11.el8ost.x86_64.rpm  
python3-numpy-1.17.0-11.el8ost.x86_64.rpm  
python3-numpy-debuginfo-1.17.0-11.el8ost.x86_64.rpm  
python3-numpy-f2py-1.17.0-11.el8ost.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-41495  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5FpYNzjgjWX9erEAQhgfg//f83LbU6ItAgUp+zoZFPPbzSk47S195bN  
43EB3UOSd4Sf+JCtClkeGgzS05ogVF/7aEuQkpUDAMYplJrv6gxBEy1NKbW3vLOI  
/H/Zh3baeXBA9SwT57kah/iLyao4T1QvuIWQXaJRnmtNGftZWHTsldsiBQpCn+/j  
JEZx6edutX1I8U2+j4arfd2RqPWG/RnXSEBsuutoTqFz4rLI8igC+lHf9k8EiJe8  
N/5h39IUBIveahOj3zV64p4hdatQ3MMjl7cTIgeapnoigSRSPsQmX+5pQ2DPlNlu  
5ObBwCsSAmEy2cygPAq2E7/BglaYey3gxUrjPaUSUsX3FmVFaDh+sKzgnr1jS5oq  
eX+hToVOehvoDktDJs17Drv+H0xvZwYKZueACEk9oY0zWfl4PShxZqEb9Zj/G4ay  
TAoAc8+hAXE51X+INfpfMVvP5pB8y7Yk40+AWfhfojiTl34FsafG3PM8kGhhodr9  
p3HYLVVb4UhGgSTIJ+CCz4jhZrmBMYRu4R+kL4p7itZwDUVEs9eScIdHZgrHV4C9  
J9BapgqnjNq7wkrkdJFgfVh9E3lCQsOD1mHNDBcEh2PMeiZQLR294PYqspDfYmqd  
IAKuP4bz4L28euC0fsHzt6xG+Iya5UqjbkFfrGyqgNo3J0rS9YyTcGsFxtc+bYZi  
FD+LO1bgUAQ=7igt  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8852-01

Red Hat Security Advisory 2022-8874-01 - An update for openstack-barbican is now available for Red Hat OpenStack Platform 16.1.9 (Train) for Red Hat Enterprise Linux (RHEL) 8.2.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenStack Platform 16.1.9 (openstack-barbican) security update  
Advisory ID:       RHSA-2022:8874-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8874  
Issue date:        2022-12-07  
CVE Names:         CVE-2022-23451 CVE-2022-23452  
====================================================================  
1. Summary:

An update for openstack-barbican is now available for Red Hat OpenStack  
Platform 16.1.9 (Train) for Red Hat Enterprise Linux (RHEL) 8.2.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 16.1 - noarch

3. Description:

Barbican is a REST API designed for the secure storage, provisioning and  
management of secrets, including in OpenStack environments.

Security Fix(es):

* Barbican allows authenticated users to add/modify/delete arbitrary  
metadata on any secret (CVE-2022-23451)

* Barbican allows anyone with an admin role to add their secrets to a  
different project's containers (CVE-2022-23452)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1965086 - barbican with atos HSM operations alternately succeed and fail  
2025089 - CVE-2022-23451 openstack-barbican: Barbican allows authenticated users to add/modify/delete arbitrary metadata on any secret  
2025090 - CVE-2022-23452 openstack-barbican: Barbican allows anyone with an admin role to add their secrets to a different project's containers  
2025979 - Barbican unable to set up secrets  
2026029 - Support of project owned keys

6. Package List:

Red Hat OpenStack Platform 16.1:

Source:  
openstack-barbican-9.0.1-1.20220916133702.07be198.el8ost.src.rpm

noarch:  
openstack-barbican-9.0.1-1.20220916133702.07be198.el8ost.noarch.rpm  
openstack-barbican-api-9.0.1-1.20220916133702.07be198.el8ost.noarch.rpm  
openstack-barbican-common-9.0.1-1.20220916133702.07be198.el8ost.noarch.rpm  
openstack-barbican-keystone-listener-9.0.1-1.20220916133702.07be198.el8ost.noarch.rpm  
openstack-barbican-worker-9.0.1-1.20220916133702.07be198.el8ost.noarch.rpm  
python3-barbican-9.0.1-1.20220916133702.07be198.el8ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-23451  
https://access.redhat.com/security/cve/CVE-2022-23452  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5FpgdzjgjWX9erEAQjT7Q//U9IyU9sgPQPj5R0N7E9R/aytkn0HrLKL  
6pj6TvkuLciCCEEHzbq6L8RPC79Cg/wb7oEv0rH+qnCPyi7z1A1f8E1Ai3MOceDT  
gWCWnnEvkMZGuJQaT74vgLUdUFeMPc4HvAH098QjuZmuiEz8HSW69iXMWJM9cL7t  
zPzn9z0eK/zAiJZ+6QdQRe6nU/EI9X8wevbdFwakGJKfj7C7zAlcpz/6WOKTB+0D  
DfTpxkx+mgZprLym50rOGDw6uW3hwvatQwYYQxbs8fVzin6seKhB6A8GWBhT4VBh  
K2mPxNhA6mO8rFXviwhmKLpiECoLhmK9nwJ2yIicbgVv5EWJnlR7KkdnMywo9gO3  
GJUdry29CvD7/XWqSvE8+9SxR3tcXPpSnCQvaLgH44eDPW9PZLZ0V6WCs6tfyddx  
LGLK9ozmkbjiX+FHSKMeEbpZFhJn45vc+79Navk9HBCu6kf++K5JC4XOGq9Mme3P  
kcvmBLF6M6dv3TOC2YuZF4ZSnBHVjpaObKf+4QXfRnNaPGP9G/0Z49e6D6lxZLg6  
RUgwirZ6IG0F24CR6XZLhtjbohLvbTvSatYeWuDswSpuEzUnryN1TxfS1l2WM9Mx  
BZDzJOMnJdws9Nl72C+sxga3yc4aP0JDrnwgtbKArreiK+/4eJMk/cZOvOzkV47u  
GBk1JInQlDA=zYlG  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8874-01

Red Hat Security Advisory 2022-8857-01 - Erlang is a general-purpose programming language and runtime environment. Erlang has built-in support for concurrency, distribution and fault tolerance. Erlang is used in several large telecommunication systems from Ericsson. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenStack Platform 16.2.4 (erlang) security update  
Advisory ID:       RHSA-2022:8857-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8857  
Issue date:        2022-12-07  
CVE Names:         CVE-2022-37026  
====================================================================  
1. Summary:

An update for erlang is now available for Red Hat OpenStack Platform 16.2.4  
(Train) on Red Hat Enterprise Linux (RHEL) 8.4.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 16.2 - ppc64le, x86_64

3. Description:

Erlang is a general-purpose programming language and runtime environment.  
Erlang has built-in support for concurrency, distribution and fault  
tolerance. Erlang is used in several large telecommunication systems from  
Ericsson.

Security Fix(es):

* Client Authentication Bypass (CVE-2022-37026)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2141802 - CVE-2022-37026 erlang/otp: Client Authentication Bypass

6. Package List:

Red Hat OpenStack Platform 16.2:

Source:  
erlang-23.3.4.18-1.el8ost.src.rpm

ppc64le:  
erlang-asn1-23.3.4.18-1.el8ost.ppc64le.rpm  
erlang-asn1-debuginfo-23.3.4.18-1.el8ost.ppc64le.rpm  
erlang-compiler-23.3.4.18-1.el8ost.ppc64le.rpm  
erlang-crypto-23.3.4.18-1.el8ost.ppc64le.rpm  
erlang-crypto-debuginfo-23.3.4.18-1.el8ost.ppc64le.rpm  
erlang-debuginfo-23.3.4.18-1.el8ost.ppc64le.rpm  
erlang-debugsource-23.3.4.18-1.el8ost.ppc64le.rpm  
erlang-eldap-23.3.4.18-1.el8ost.ppc64le.rpm  
erlang-erl_interface-debuginfo-23.3.4.18-1.el8ost.ppc64le.rpm  
erlang-erts-23.3.4.18-1.el8ost.ppc64le.rpm  
erlang-erts-debuginfo-23.3.4.18-1.el8ost.ppc64le.rpm  
erlang-hipe-23.3.4.18-1.el8ost.ppc64le.rpm  
erlang-inets-23.3.4.18-1.el8ost.ppc64le.rpm  
erlang-kernel-23.3.4.18-1.el8ost.ppc64le.rpm  
erlang-mnesia-23.3.4.18-1.el8ost.ppc64le.rpm  
erlang-odbc-debuginfo-23.3.4.18-1.el8ost.ppc64le.rpm  
erlang-os_mon-23.3.4.18-1.el8ost.ppc64le.rpm  
erlang-os_mon-debuginfo-23.3.4.18-1.el8ost.ppc64le.rpm  
erlang-parsetools-23.3.4.18-1.el8ost.ppc64le.rpm  
erlang-public_key-23.3.4.18-1.el8ost.ppc64le.rpm  
erlang-runtime_tools-23.3.4.18-1.el8ost.ppc64le.rpm  
erlang-runtime_tools-debuginfo-23.3.4.18-1.el8ost.ppc64le.rpm  
erlang-sasl-23.3.4.18-1.el8ost.ppc64le.rpm  
erlang-snmp-23.3.4.18-1.el8ost.ppc64le.rpm  
erlang-ssl-23.3.4.18-1.el8ost.ppc64le.rpm  
erlang-stdlib-23.3.4.18-1.el8ost.ppc64le.rpm  
erlang-syntax_tools-23.3.4.18-1.el8ost.ppc64le.rpm  
erlang-tools-23.3.4.18-1.el8ost.ppc64le.rpm  
erlang-tools-debuginfo-23.3.4.18-1.el8ost.ppc64le.rpm  
erlang-xmerl-23.3.4.18-1.el8ost.ppc64le.rpm

x86_64:  
erlang-asn1-23.3.4.18-1.el8ost.x86_64.rpm  
erlang-asn1-debuginfo-23.3.4.18-1.el8ost.x86_64.rpm  
erlang-compiler-23.3.4.18-1.el8ost.x86_64.rpm  
erlang-crypto-23.3.4.18-1.el8ost.x86_64.rpm  
erlang-crypto-debuginfo-23.3.4.18-1.el8ost.x86_64.rpm  
erlang-debuginfo-23.3.4.18-1.el8ost.x86_64.rpm  
erlang-debugsource-23.3.4.18-1.el8ost.x86_64.rpm  
erlang-eldap-23.3.4.18-1.el8ost.x86_64.rpm  
erlang-erl_interface-debuginfo-23.3.4.18-1.el8ost.x86_64.rpm  
erlang-erts-23.3.4.18-1.el8ost.x86_64.rpm  
erlang-erts-debuginfo-23.3.4.18-1.el8ost.x86_64.rpm  
erlang-hipe-23.3.4.18-1.el8ost.x86_64.rpm  
erlang-inets-23.3.4.18-1.el8ost.x86_64.rpm  
erlang-kernel-23.3.4.18-1.el8ost.x86_64.rpm  
erlang-mnesia-23.3.4.18-1.el8ost.x86_64.rpm  
erlang-odbc-debuginfo-23.3.4.18-1.el8ost.x86_64.rpm  
erlang-os_mon-23.3.4.18-1.el8ost.x86_64.rpm  
erlang-os_mon-debuginfo-23.3.4.18-1.el8ost.x86_64.rpm  
erlang-parsetools-23.3.4.18-1.el8ost.x86_64.rpm  
erlang-public_key-23.3.4.18-1.el8ost.x86_64.rpm  
erlang-runtime_tools-23.3.4.18-1.el8ost.x86_64.rpm  
erlang-runtime_tools-debuginfo-23.3.4.18-1.el8ost.x86_64.rpm  
erlang-sasl-23.3.4.18-1.el8ost.x86_64.rpm  
erlang-snmp-23.3.4.18-1.el8ost.x86_64.rpm  
erlang-ssl-23.3.4.18-1.el8ost.x86_64.rpm  
erlang-stdlib-23.3.4.18-1.el8ost.x86_64.rpm  
erlang-syntax_tools-23.3.4.18-1.el8ost.x86_64.rpm  
erlang-tools-23.3.4.18-1.el8ost.x86_64.rpm  
erlang-tools-debuginfo-23.3.4.18-1.el8ost.x86_64.rpm  
erlang-xmerl-23.3.4.18-1.el8ost.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-37026  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5FpldzjgjWX9erEAQiC5xAAgikz4PKc5MK3UvThDwTvFMhQnA7OKRWM  
6HyUCQVnvMXH8FOQBRQAkybQ0k7GHwLuVoltXfG6a+sQwUcWyFEMjn1QPxqJTdGH  
lvE4BPDxZt55qesI/r/Ed1dU6t5M0Yz5d40MTouOhTWtaoyyq0w9eRslOtc6sEUX  
jOp9AujRHtufUtqFZrJlgTMfSL7fwkRKYqOHUu0hnpFKLduK5fP1vQrVEaLBBR1e  
LcK7ozKFKK1r9xw/HwMQKUbooTwjwD7hW7GMGY/l9vYav39c91WxeN4QgYFW6Lwc  
uDBOZe0pQ71j/ujdgkPxJ/sItBvsxepqleyeYhyxpahfOgydP9Jn1DJ6nfsEkUFP  
+UirkDPUIGFxOFmelEGHlyzpBg5vDExE/iQ92lqbLseA5el3NT0MhEYQKF66ZiZm  
fN4cAC5k2GGi6M8dykQyhiWDPTCjIwy07OrGotleCE8XLATfYHG47wFwZi2lphyG  
AJkpki/WYwV7s5XYABXjKZYCcuZ/HtLP93vX1nHQnayxG2z4frO1/xl89FcxbGrs  
lIgnQmSHzySSaoyrzMx8NT+rUATG9DxKWrVQEHlFNJE1g0Vz5dW7ZKjegLViFg8Q  
Uk/8TgN+poNJHlVj4SaC50Iskyn7733l/EgGDPPEip7lup6vR4n2Vayb+HZflTfI  
k3ufCa6ZRqQ=2X4R  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8857-01

Red Hat Security Advisory 2022-8873-01 - An update for python-oslo-utils is now available for Red Hat OpenStack Platform 16.1.9 (Train) for Red Hat Enterprise Linux (RHEL) 8.2.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenStack Platform 16.1.9 (python-oslo-utils) security update  
Advisory ID:       RHSA-2022:8873-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8873  
Issue date:        2022-12-07  
CVE Names:         CVE-2022-0718  
====================================================================  
1. Summary:

An update for python-oslo-utils is now available for Red Hat OpenStack  
Platform 16.1.9 (Train) for Red Hat Enterprise Linux (RHEL) 8.2.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 16.1 - noarch

3. Description:

The OpenStack Oslo Utility library.

Security Fix(es):

* incorrect password masking in debug output (CVE-2022-0718)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2056850 - CVE-2022-0718 python-oslo-utils: incorrect password masking in debug output

6. Package List:

Red Hat OpenStack Platform 16.1:

Source:  
python-oslo-utils-3.41.6-1.20220426095230.f4deaad.el8ost.src.rpm

noarch:  
python-oslo-utils-lang-3.41.6-1.20220426095230.f4deaad.el8ost.noarch.rpm  
python3-oslo-utils-3.41.6-1.20220426095230.f4deaad.el8ost.noarch.rpm

Red Hat OpenStack Platform 16.1:

Source:  
python-oslo-utils-3.41.6-1.20220426095230.f4deaad.el8ost.src.rpm

noarch:  
python-oslo-utils-lang-3.41.6-1.20220426095230.f4deaad.el8ost.noarch.rpm  
python3-oslo-utils-3.41.6-1.20220426095230.f4deaad.el8ost.noarch.rpm

Red Hat OpenStack Platform 16.1:

Source:  
python-oslo-utils-3.41.6-1.20220426095230.f4deaad.el8ost.src.rpm

noarch:  
python-oslo-utils-lang-3.41.6-1.20220426095230.f4deaad.el8ost.noarch.rpm  
python3-oslo-utils-3.41.6-1.20220426095230.f4deaad.el8ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-0718  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5FpmtzjgjWX9erEAQgS3Q//RqYOosziJEn6E8s0Vk7RSiHHbDGrdAYy  
CeJjTvb/4rGYW91Mr6zhuRkAgmjVOPHHcNAx18fBmig8W0yb4phF21I5IbaOezjv  
mp4r9MD7XKxtu1SPbwscIyne0HTzMKH1rtTQXRPgXxARefrANNIdsdBrH/u1c1Uo  
hL5G/ohmfu9hNWSV/2vAqKZMneIQOLWVeogmS2lVyynHwUZDluJSDbP52r7DcJ/Q  
vcyqhuzbRUBODv3s361v8TmZ1KAsypbxfs30jXRgthMx0Pz43IZ9XvoGFEhvyGSx  
lWllxT47flsDOuUulCqCvRe8TcTFRvzOQ6f6Y+YcxJZDuR3SfdjQbizySaNlglSq  
NNY8Y6AqEmZj9CGx4FkZ+OLp8IZ2D6dNRF04ILiMPoKkYS/hGe/qSU0krJ+uS9UF  
yF97rSZe7TduSVu5erE/sXVQiAHqUt/Nz/LCuRe+f8MclHaHx8KHTEs6x4fluIvD  
PlRseR2oN7ePWiTBgbQ3XMPh6wNhKsm0y1oaNK7E2dUo2qa8aQO2ziqNMZPrOJsv  
O6jc5OZes6R4XvoXCqmVPURMOdmeQJ16V7Fp1QDUWVNLvZupQFxy/RwmYPkLV4Fv  
0Ywg6QbxNHPnLBsBlW+0TeTsgLCYxICrSbUNp3duWplCWcBqKZOoXtMFfzJrD3PS  
5Jyxu/2yRRY=qIcJ  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8873-01

Red Hat Security Advisory 2022-8866-01 - An update for python-XStatic-Angular is now available for Red Hat OpenStack Platform 16.1.9 (Train) for Red Hat Enterprise Linux (RHEL) 8.2.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenStack Platform 16.1.9 (python-XStatic-Angular) security update  
Advisory ID:       RHSA-2022:8866-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8866  
Issue date:        2022-12-07  
CVE Names:         CVE-2019-10768  
====================================================================  
1. Summary:

An update for python-XStatic-Angular is now available for Red Hat OpenStack  
Platform 16.1.9 (Train) for Red Hat Enterprise Linux (RHEL) 8.2.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 16.1 - noarch

3. Description:

Angular JavaScript library packaged for setuptools (easy_install) / pip.

Security Fix(es):

* Prototype pollution in merge function could result in code injection  
(CVE-2019-10768)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1813309 - CVE-2019-10768 AngularJS: Prototype pollution in merge function could result in code injection

6. Package List:

Red Hat OpenStack Platform 16.1:

Source:  
python-XStatic-Angular-1.5.8.0-13.el8ost.src.rpm

noarch:  
XStatic-Angular-common-1.5.8.0-13.el8ost.noarch.rpm  
python3-XStatic-Angular-1.5.8.0-13.el8ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-10768  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5FpatzjgjWX9erEAQhl+w/5AfKkbI34bXXE7yfPixf+GvcfYai7s7Ku  
3PBTymbKFdIla+c5zJfv5xux0YRYcqRt7tSlHHbybEEWxtrFXS9H8QSMW9q8h7QH  
B32AsI3ooAKyrTTZqWDXyri77Z2WeNGXbyTc/2OTbNJANNZjAE5OmP2YtrInh0I9  
y0Dds9U1gWJMFqO6mKamISJz6V+k7bmaaFeSHwZ59LfwIW5HD8OXM7yLsxgWyb4d  
AxUSHugrRHgmjjoAwfylYlT+VPRgL9TvAa9/kuQgrGzq4Iy3bgtO3tkoJihweM/Y  
BjxthGzwXBBA6MKHiwCqujm0GwtkfaBKMGNNJOVeY5BkqEYJOOyjN6y9kE/cYZ1K  
zxvqotXYrhvx8RzQUNhaqpjreTa4AadLvGMdBEqMunAlXdUF9n3841lcfs0/daD3  
I+N2YhPQHQ1ltusqp+50QIMf8EIAzptCQ4btMYhIRLdYYd7LwujcalqX5q4gC6is  
lngsTlZ/HwQai5UJ//BozTTWegW5zeBEcqFdqsS7D4WQM/bn5o1eR6shBIzxsAhA  
X3cpMk4vJ7E+nS+1wYVUEkmJZ26oZ4evCNYYpNu9FHtsUpN25IiM3qC5iw4GFIcZ  
/zLmVLXAt/YN/4zDuu5I9fQD/MkaMoGnYppPkMXxja2ducJNuPnZiO0n2Qi2XbwB  
qu4qTT4UppI=vX3U  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8866-01

Red Hat Security Advisory 2022-8848-01 - An update for python-XStatic-Bootstrap-SCSS is now available for Red Hat OpenStack Platform 16.2.4 (Train). Issues addressed include a cross site scripting vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenStack 16.2.4 (python-XStatic-Bootstrap-SCSS) security update  
Advisory ID:       RHSA-2022:8848-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8848  
Issue date:        2022-12-07  
CVE Names:         CVE-2019-8331  
====================================================================  
1. Summary:

An update for python-XStatic-Bootstrap-SCSS is now available for Red Hat  
OpenStack Platform 16.2.4 (Train).

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 16.2 - noarch

3. Description:

Bootstrap style library packaged for setuptools (easy_install) / pip.

Security Fix(es):

* XSS in the tooltip or popover data-template attribute (CVE-2019-8331)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1686454 - CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute

6. Package List:

Red Hat OpenStack Platform 16.2:

Source:  
python-XStatic-Bootstrap-SCSS-3.4.1.0-2.el8ost.src.rpm

noarch:  
python3-XStatic-Bootstrap-SCSS-3.4.1.0-2.el8ost.noarch.rpm  
xstatic-bootstrap-scss-common-3.4.1.0-2.el8ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-8331  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5FpUNzjgjWX9erEAQjGjBAAh2Z0nCYvKVcbCGmS13MXfqy6aSSdN8aJ  
KvOl8B4XW9+vSzuhqSa4IAzerJw4Uomtd8qWhdgSB5oUrWsRZ6QIR3dsou4w9zIt  
7Hq5RUNOPLDZInW4PbVPtd5yiwjYFeq4/tsX7j9RmGQsUlPox8t/a2rPzN7zzM+Y  
6Sq3kOAlhRRsnM8yUSRm1PC+vfW437kfAVIxSdIWPhgCbPy7wVc1irJrpohXOf/3  
lbn0D48UDpcuOIbY77W8AkVpmUz279m1HhCaGiYSzGq9z2L1rEcTDG2ry5qx883r  
nFMyIwrI7pdVN/EZiWxhh9LC89xjppFEVIWj8PHA2kS8Rt0GmPECY28Q7xLdoo7U  
7rJFrKe+GySbfST9Nw4HF7pUcPSr9tnKkES4RExI55mLCrISCh7F2C+NRy/sq+zf  
jDTuP1CtJnQCuSoyIBggyo4NOWpia0WGvoTi6lDnGUN2mX4hdgFIRSDVD7xUrDl1  
Q8Tk+S6wFMxg9CfUMPPd+ZftO9srq5Zgml3q7psLhZpCqMzP/UgRDfIbVLDdP+uR  
BATUT7W058hcUlFvl77Xb/lHCHRn9gDsTVuYSnLXhSnH+sqLrTk6i0LmzYsFWzeQ  
4cU98WzhIk4YQFq++6eFhEOnl7bCgqrhjiZTIsV1XzMo0kycJbhMR5g1ndbUcGDi  
Rm9yG/DRBsI=XwU6  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Source

Packet Storm